We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

2017 Outlook: Cybersecurity and Data Privacy

2017 Outlook Cybersecurity and Data Privacy January 2017 mayer brown B Ongoing regulatory scrutiny of cybersecurity and data privacy across a wide range of industries Security and privacy challenges for the Internet of Things Evolution in international cybersecurity and data privacy governance Continued growth of cybersecurity and data privacy litigation Litigation and debate about law enforcement’s access to electronic data KEY ISSUES Companies should consider these issues as they continue to refine their cybersecurity and data privacy programs in 2017. mayer brown 1 The Trump administration has publicly provided limited details so far about its plans for cybersecurity and data privacy policy. Reports suggest that the administration intends to pursue a thorough review of the federal government’s cybersecurity policy, although no concrete steps have been taken as of the date of this publication. But even if priorities change at the federal level, the scrutiny of cybersecurity and data privacy issues that companies face from litigants, regulators, Congress, contractual counterparties and others is poised to remain high. Moreover, cyber threats and other data privacy challenges are growing, including as increasing numbers of connected devices join the Internet of Things. Effective responses will continue to depend upon clear-eyed assessments of risks and broad engagement across the enterprise to mitigate them. Key issues for companies doing business in the United States and for US businesses operating globally, as they continue to refine their cybersecurity and data privacy programs in 2017, will include: • Ongoing regulatory scrutiny of cybersecurity and data privacy across a wide range of industries • Continued growth of cybersecurity and data privacy litigation • Security and privacy challenges for the Internet of Things • Litigation and debate about law enforcement’s access to electronic data • Evolution in international cybersecurity and data privacy governance Cybersecurity and data privacy issues continued to grow in significance for multinational businesses over the past 12 months, further heightening the importance of preparing and responding in a strategic, coordinated and enterprise-wide manner in 2017. 2 2017 Outlook: Cybersecurity and Data Privacy Ongoing Regulatory Scrutiny of Cybersecurity and Data Privacy Across a Wide Range of Industries The federal government has continued to use a wide range of policy tools to influence cybersecurity and data privacy practices in the private sector. For example, after extended engagement with stakeholders, the National Institute of Standards and Technology (NIST) released version 1.1 of its Cybersecurity Framework for comment in January 2017. Moreover, the Obama administration took significant steps to enhance public-private coordination. It worked to implement the Cybersecurity Information Sharing Act in a way that maximizes information sharing while meeting privacy obligations and clarified the federal approach to responding to cybersecurity incidents in the private sector. But the federal government did not limit itself to such collaborative public-private efforts. Regulatory and enforcement agencies in the United States also continued to use their authorities to address cybersecurity and data privacy concerns in 2016. Going forward, companies will need to pay careful attention to relevant regulatory requirements, guidance and enforcement actions to meet agencies’ expectations in the Trump administration. In addition to the Internet of Things, which we address in a subsequent section, key issues include: Consumer Privacy and Data Security: Regulators at the federal and state levels have continued to focus on consumer privacy and data security issues. For example, the Federal Communications Commission (FCC) pursued rulemaking in the field, active enforcement of the Health Insurance Portability and Accountability Act (HIPAA) has continued, the Consumer Financial Protection Bureau (CFPB) reached its first consent order for alleged misrepresentations about the security of a payment network provider, and a group of 15 state attorneys general settled their enforcement actions relating to the 2013 Adobe data breach. In particular, the Federal Trade Commission (FTC) has played a leading role through both its enforcement actions and education initiatives. For example, it published a blog post in which it explained its view that the approach reflected in its data security enforcement actions is “fully consistent” with that of the NIST Framework. The FTC also has solicited comment on whether further amendments to the Safeguards Rule, issued under the Gramm-Leach-Bliley Act, would be appropriate. And the FTC has indicated its interest in consumer privacy and security issues related to connected cars and the Internet of Things more broadly. Finally, the FTC commissioners unanimously overruled the decision of an FTC administrative law judge who had dismissed the long-running data security action against LabMD, an action that now is on appeal to the Eleventh Circuit. While these examples reflect the intensity of the FTC’s focus on privacy and security in recent years, the agency’s approach may evolve in the new administration. In January 2017, Going forward, companies will need to pay careful attention to relevant regulatory requirements, guidance and enforcement actions to meet agencies’ expectations in the Trump administration.

Compare jurisdictions: Litigation: Enforcement of Foreign Judgments

"I find the newsfeeds to be extremely beneficial as a means of keeping up with changes in the law. I've made a regular practice of sharing a number of the items with members of our HR staff. Please keep up the good work."